The basics
ISO 27001 control A.8.16 Monitoring activities requires companies to observe their systems in order to recognize unusual activities and, if needed, to activate the appropriate incident response – this includes monitoring of IT systems, networks, and applications. This is a new control in the 2022 revision of the standard.
Documentation
ISO 27001 control A.8.16 Monitoring Activities can be documented:
- for smaller and mid-sized companies by writing a Security Procedures for IT Department
- for larger companies by writing a Logging & Monitoring Procedure
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.16 Monitoring activities you might implement the following:
- Technology — the technology to enable monitoring could include software (e.g., task manager of an operational system, a monitoring tool, etc.) or hardware (monitoring server). Smaller companies will probably be able to monitor events from features built in their own existing systems, whereas larger companies probably need some software that gathers and monitors data from several assets simultaneously.
- Organization/processes — you should set up a process for configuring and performing monitoring of IT systems, networks, and applications and, if needed, activating the appropriate incident response. You can document those processes through Security Procedures for IT Department or a Logging & Monitoring Procedure
- People — make employees aware of why recognizing unusual activities is needed, and train IT staff on how to monitor systems, networks, and applications.
Audit evidence
During the audit, the auditor might look for the following evidence regarding control A.8.16 Monitoring activities: if the behavior of information systems is monitored for anomalies and, if needed, appropriate incident response is taken.
